mirror of
https://git.soft.fish/val/MicroCorruption.git
synced 2024-11-22 13:05:59 +00:00
374 lines
13 KiB
NASM
374 lines
13 KiB
NASM
|
|
Hex:
|
|
:10 4400 00 55425C0135D0085A8245002831400044 AD
|
|
:10 4410 00 3F4000000F930824924200285C012F83 44
|
|
:10 4420 00 9F4F6E470024F8233F4000040F930724 5A
|
|
:10 4430 00 924200285C011F83CF430024F9233150 AE
|
|
:10 4440 00 E0FF3F403446B01286453F405846B012 28
|
|
:10 4450 00 86450312031230124000B01250453150 0D
|
|
:10 4460 00 06003F406F46B0128645031203123012 19
|
|
:10 4470 00 7F00B0125045315006003F409146B012 C7
|
|
:10 4480 00 86453F40C646B01286453D4020000E43 5B
|
|
:10 4490 00 0F41B012C8453F40FC46B01286450D41 61
|
|
:10 44A0 00 3E4000100F43B012B6450B430F410F5B 67
|
|
:10 44B0 00 6E4F0F4E3FF00F005A4F104712C34E10 71
|
|
:10 44C0 00 12C34E1012C34E1012C34E103EF00F00 16
|
|
:10 44D0 00 5F4E1047B01278454F4AB01278451B53 D3
|
|
:10 44E0 00 3B902000E3233F402147B01286453F40 E8
|
|
:10 44F0 00 2247B01286453D4000040E433F400024 51
|
|
:10 4500 00 B012C8453E40FF033F400024B0126845 4A
|
|
:10 4510 00 5B4200248B105F4201240BDF5A420224 CD
|
|
:10 4520 00 2A93052C3F403E47B0128645E03F3F40 6E
|
|
:10 4530 00 5547B01286450D4A3E4003240F4BB012 3A
|
|
:10 4540 00 A4458B12D43F32D0F000FD3F30403246 BC
|
|
:10 4550 00 1F41020002124F4F8F103FD00080024F C8
|
|
:10 4560 00 B0121000324130410E120F122312B012 5D
|
|
:10 4570 00 50453150060030418F110F120312B012 16
|
|
:10 4580 00 5045215230410B120B4F033C1B53B012 CC
|
|
:10 4590 00 78456F4B4F93FA237F400A00B0127845 5D
|
|
:10 45A0 00 3B4130410C4F043CFC4E00001C533D53 3A
|
|
:10 45B0 00 0D93FA2330410D120E120F1230124100 EA
|
|
:10 45C0 00 B0125045315230410B120A1209120812 32
|
|
:10 45D0 00 3D900600092C0C4F043CCC4E00001C53 AF
|
|
:10 45E0 00 3D530D93FA23203C4E4E4B4E0B930324 28
|
|
:10 45F0 00 0C4B8C100BDC1FB306243D53CF4E0000 38
|
|
:10 4600 00 094F1953013C094F0C4D12C30C100A49 B4
|
|
:10 4610 00 084C8A4B00002A533853FB230C5C0C59 7E
|
|
:10 4620 00 1DF30224CC4E0000384139413A413B41 50
|
|
:04 4630 00 30410013 02
|
|
Strings:
|
|
:10 4634 00 57656C636F6D6520746F207468652074 B2
|
|
:10 4644 00 6573742070726F6772616D206C6F6164 42
|
|
:10 4654 00 65722E00456E61626C696E6720686172 D6
|
|
:10 4664 00 64656E6564206D6F6465005665726966 85
|
|
:10 4674 00 79696E67203078376620696E74657272 66
|
|
:10 4684 00 7570742064697361626C656400307837 96
|
|
:10 4694 00 6620696E746572727570742064697361 E2
|
|
:10 46A4 00 626C65642C206B65792073746F726564 29
|
|
:10 46B4 00 20696E20696E7465726E616C20535241 7C
|
|
:10 46C4 00 4D00756E6C6F636B2062792070726F76 2B
|
|
:10 46D4 00 6964696E672074686520313620627974 74
|
|
:10 46E4 00 65206B657920746F203078343120696E D1
|
|
:10 46F4 00 7465727275707400496E7465726E616C 63
|
|
:10 4704 00 205352414D20486173683A0030313233 AE
|
|
:10 4714 00 3435363738394142434445460000506C FD
|
|
:10 4724 00 6561736520656E746572206465627567 82
|
|
:10 4734 00 207061796C6F61642E00496E76616C69 DA
|
|
:10 4744 00 64207061796C6F6164206C656E677468 55
|
|
:10 4754 00 00457865637574696E67206465627567 82
|
|
:0A 4764 00 207061796C6F61640000 41
|
|
Vector_Table:
|
|
:10 FF80 00 4C454C454C454C454C454C454C454C45 E9
|
|
:10 FF90 00 4C454C454C454C454C454C454C450044 26
|
|
Entry:
|
|
:04 0000 03 00004400 B5
|
|
:00 0000 01 FF
|
|
|
|
Obj:
|
|
0010 <__trap_interrupt>
|
|
0010: 3041 ret
|
|
4400 <__watchdog_support>
|
|
4400: 5542 5c01 mov.b &0x015c, r5
|
|
4404: 35d0 085a bis #0x5a08, r5
|
|
4408: 8245 0028 mov r5, &0x2800
|
|
440c <__init_stack>
|
|
440c: 3140 0044 mov #0x4400 <__watchdog_support>, sp
|
|
4410 <__do_copy_data>
|
|
4410: 3f40 0000 clr r15
|
|
4414: 0f93 tst r15
|
|
4416: 0824 jz #0x4428 <__do_clear_bss+0x0>
|
|
4418: 9242 0028 5c01 mov &0x2800, &0x015c
|
|
441e: 2f83 decd r15
|
|
4420: 9f4f 6e47 0024 mov 0x476e(r15), 0x2400(r15)
|
|
4426: f823 jnz #0x4418 <__do_copy_data+0x8>
|
|
4428 <__do_clear_bss>
|
|
4428: 3f40 0004 mov #0x400, r15
|
|
442c: 0f93 tst r15
|
|
442e: 0724 jz #0x443e <main+0x0>
|
|
4430: 9242 0028 5c01 mov &0x2800, &0x015c
|
|
4436: 1f83 dec r15
|
|
4438: cf43 0024 mov.b #0x0, 0x2400(r15)
|
|
443c: f923 jnz #0x4430 <__do_clear_bss+0x8>
|
|
|
|
443e <main>
|
|
; char sha_buf[0x20];
|
|
443e: 3150 e0ff add #0xffe0, sp
|
|
; puts ("Welcome to the test program loader.");
|
|
4442: 3f40 3446 mov #0x4634 "Welcome to the test program loader." <__data_start+0x2234>, r15
|
|
4446: b012 8645 call #0x4586 <puts>
|
|
; puts ("Enabling hardened mode");
|
|
444a: 3f40 5846 mov #0x4658 "Enabling hardened mode" r15
|
|
444e: b012 8645 call #0x4586 <puts>
|
|
; INT (0x40);
|
|
4452: 0312 push #0x0
|
|
4454: 0312 push #0x0
|
|
4456: 3012 4000 push #0x40
|
|
445a: b012 5045 call #0x4550 <INT>
|
|
445e: 3150 0600 add #0x6, sp
|
|
|
|
; puts ("Verifying 0x7f interrupt disabled");
|
|
4462: 3f40 6f46 mov #0x466f "Verifying 0x7f interrupt disabled" r15
|
|
4466: b012 8645 call #0x4586 <puts>
|
|
; INT (0x7f);
|
|
446a: 0312 push #0x0
|
|
446c: 0312 push #0x0
|
|
446e: 3012 7f00 push #0x7f
|
|
4472: b012 5045 call #0x4550 <INT>
|
|
|
|
4476: 3150 0600 add #0x6, sp
|
|
; puts ("0x7f interrupt disabled, key stored in internal SRAM");
|
|
447a: 3f40 9146 mov #0x4691 "0x7f interrupt disabled, key stored in internal SRAM" r15
|
|
447e: b012 8645 call #0x4586 <puts>
|
|
; puts ("unlock by providing the 16 byte key to 0x41 interrupt");
|
|
4482: 3f40 c646 mov #0x46c6 "unlock by providing the 16 byte key to 0x41 interrupt" r15
|
|
4486: b012 8645 call #0x4586 <puts>
|
|
; memset (&sha_buf, 0, 0x20);
|
|
448a: 3d40 2000 mov #0x20, r13
|
|
448e: 0e43 clr r14
|
|
4490: 0f41 mov sp, r15
|
|
4492: b012 c845 call #0x45c8 <memset>
|
|
; puts ("Internal SRAM Hash:");
|
|
4496: 3f40 fc46 mov #0x46fc "Internal SRAM Hash:" r15
|
|
449a: b012 8645 call #0x4586 <puts>
|
|
; sha256_internal (0, 0x1000, &sha_buf);
|
|
449e: 0d41 mov sp, r13
|
|
44a0: 3e40 0010 mov #0x1000, r14
|
|
44a4: 0f43 clr r15
|
|
44a6: b012 b645 call #0x45b6 <sha256_internal>
|
|
print_hash_inline:
|
|
; for (i /* r11 */ = 0; i != 0x20; i++)
|
|
44aa: 0b43 clr r11
|
|
pha_loop:
|
|
; byte /* r14 */ = hash[i];
|
|
44ac: 0f41 mov sp, r15
|
|
44ae: 0f5b add r11, r15
|
|
44b0: 6e4f mov.b @r15, r14
|
|
; lower_nibble /* r15 */ = byte & 0xf;
|
|
44b2: 0f4e mov r14, r15
|
|
44b4: 3ff0 0f00 and #0xf, r15
|
|
; lower_char /* r11 */ = "0123456789ABCDEF"[lower_nibble];
|
|
44b8: 5a4f 1047 mov.b 0x4710(r15), r10
|
|
; upper_nibble /* r14 */ = (byte >> 0x4) & 0xf;
|
|
44bc: 12c3 clrc
|
|
44be: 4e10 rrc.b r14
|
|
44c0: 12c3 clrc
|
|
44c2: 4e10 rrc.b r14
|
|
44c4: 12c3 clrc
|
|
44c6: 4e10 rrc.b r14
|
|
44c8: 12c3 clrc
|
|
44ca: 4e10 rrc.b r14
|
|
44cc: 3ef0 0f00 and #0xf, r14
|
|
; putchar("0123456789ABCDEF"[upper_nibble]);
|
|
44d0: 5f4e 1047 mov.b 0x4710(r14), r15
|
|
44d4: b012 7845 call #0x4578 <putchar>
|
|
; putchar(lower_char)
|
|
44d8: 4f4a mov.b r10, r15
|
|
44da: b012 7845 call #0x4578 <putchar>
|
|
; ... i != 0x20; i++)
|
|
44de: 1b53 inc r11
|
|
44e0: 3b90 2000 cmp #0x20, r11
|
|
44e4: e323 jne #0x44ac <main+0x6e> <pha_loop>
|
|
; puts (""); // prints newline
|
|
44e6: 3f40 2147 mov #0x4721, r15
|
|
44ea: b012 8645 call #0x4586 <puts>
|
|
; while(true) {
|
|
; puts ("Please enter debug payload.");
|
|
44ee: 3f40 2247 mov #0x4722 "Please enter debug payload." r15
|
|
44f2: b012 8645 call #0x4586 <puts>
|
|
; memset (0x2400, 0, 0x400);
|
|
44f6: 3d40 0004 mov #0x400, r13
|
|
44fa: 0e43 clr r14
|
|
44fc: 3f40 0024 mov #0x2400, r15
|
|
4500: b012 c845 call #0x45c8 <memset>
|
|
; getsn (0x2400, 0x3ff);
|
|
4504: 3e40 ff03 mov #0x3ff, r14
|
|
4508: 3f40 0024 mov #0x2400, r15
|
|
450c: b012 6845 call #0x4568 <getsn>
|
|
; loadaddr = (buf[0] << 8) + (buf[1]);
|
|
4510: 5b42 0024 mov.b &0x2400, r11
|
|
4514: 8b10 swpb r11
|
|
4516: 5f42 0124 mov.b &0x2401, r15
|
|
451a: 0bdf bis r15, r11
|
|
;
|
|
451c: 5a42 0224 mov.b &0x2402, r10
|
|
4520: 2a93 cmp #0x2, r10
|
|
4522: 052c jc #0x452e <main+0xf0>
|
|
|
|
4524: 3f40 3e47 mov #0x473e "Invalid payload length" r15
|
|
4528: b012 8645 call #0x4586 <puts>
|
|
; continue;
|
|
452c: e03f jmp #0x44ee <main+0xb0>
|
|
execute_debug_payload:
|
|
452e: 3f40 5547 mov #0x4755 "Executing debug payload" r15
|
|
4532: b012 8645 call #0x4586 <puts>
|
|
; memcpy (loadaddr, 0x2403, len);
|
|
4536: 0d4a mov r10, r13
|
|
4538: 3e40 0324 mov #0x2403, r14
|
|
453c: 0f4b mov r11, r15
|
|
453e: b012 a445 call #0x45a4 <memcpy>
|
|
; loadaddr();
|
|
4542: 8b12 call r11
|
|
; continue;
|
|
4544: d43f jmp #0x44ee <main+0xb0>
|
|
|
|
4546 <__stop_progExec__>
|
|
4546: 32d0 f000 bis #0xf0, sr
|
|
454a: fd3f jmp #0x4546 <__stop_progExec__+0x0>
|
|
454c <__ctors_end>
|
|
454c: 3040 3246 br #0x4632 <_unexpected_>
|
|
4550 <INT>
|
|
4550: 1f41 0200 mov 0x2(sp), r15
|
|
4554: 0212 push sr
|
|
4556: 4f4f mov.b r15, r15
|
|
4558: 8f10 swpb r15
|
|
455a: 3fd0 0080 bis #0x8000, r15
|
|
455e: 024f mov r15, sr
|
|
4560: b012 1000 call #0x10
|
|
4564: 3241 pop sr
|
|
4566: 3041 ret
|
|
4568 <getsn>
|
|
4568: 0e12 push r14
|
|
456a: 0f12 push r15
|
|
456c: 2312 push #0x2
|
|
456e: b012 5045 call #0x4550 <INT>
|
|
4572: 3150 0600 add #0x6, sp
|
|
4576: 3041 ret
|
|
4578 <putchar>
|
|
4578: 8f11 sxt r15
|
|
457a: 0f12 push r15
|
|
457c: 0312 push #0x0
|
|
457e: b012 5045 call #0x4550 <INT>
|
|
4582: 2152 add #0x4, sp
|
|
4584: 3041 ret
|
|
4586 <puts>
|
|
4586: 0b12 push r11
|
|
4588: 0b4f mov r15, r11
|
|
458a: 033c jmp #0x4592 <puts+0xc>
|
|
458c: 1b53 inc r11
|
|
458e: b012 7845 call #0x4578 <putchar>
|
|
4592: 6f4b mov.b @r11, r15
|
|
4594: 4f93 tst.b r15
|
|
4596: fa23 jnz #0x458c <puts+0x6>
|
|
4598: 7f40 0a00 mov.b #0xa, r15
|
|
459c: b012 7845 call #0x4578 <putchar>
|
|
45a0: 3b41 pop r11
|
|
45a2: 3041 ret
|
|
45a4 <memcpy>
|
|
45a4: 0c4f mov r15, r12
|
|
45a6: 043c jmp #0x45b0 <memcpy+0xc>
|
|
45a8: fc4e 0000 mov.b @r14+, 0x0(r12)
|
|
45ac: 1c53 inc r12
|
|
45ae: 3d53 add #-0x1, r13
|
|
45b0: 0d93 tst r13
|
|
45b2: fa23 jnz #0x45a8 <memcpy+0x4>
|
|
45b4: 3041 ret
|
|
45b6 <sha256_internal>
|
|
45b6: 0d12 push r13
|
|
45b8: 0e12 push r14
|
|
45ba: 0f12 push r15
|
|
45bc: 3012 4100 push #0x41
|
|
45c0: b012 5045 call #0x4550 <INT>
|
|
45c4: 3152 add #0x8, sp
|
|
45c6: 3041 ret
|
|
45c8 <memset>
|
|
45c8: 0b12 push r11
|
|
45ca: 0a12 push r10
|
|
45cc: 0912 push r9
|
|
45ce: 0812 push r8
|
|
45d0: 3d90 0600 cmp #0x6, r13
|
|
45d4: 092c jc #0x45e8 <memset+0x20>
|
|
45d6: 0c4f mov r15, r12
|
|
45d8: 043c jmp #0x45e2 <memset+0x1a>
|
|
45da: cc4e 0000 mov.b r14, 0x0(r12)
|
|
45de: 1c53 inc r12
|
|
45e0: 3d53 add #-0x1, r13
|
|
45e2: 0d93 tst r13
|
|
45e4: fa23 jnz #0x45da <memset+0x12>
|
|
45e6: 203c jmp #0x4628 <memset+0x60>
|
|
45e8: 4e4e mov.b r14, r14
|
|
45ea: 4b4e mov.b r14, r11
|
|
45ec: 0b93 tst r11
|
|
45ee: 0324 jz #0x45f6 <memset+0x2e>
|
|
45f0: 0c4b mov r11, r12
|
|
45f2: 8c10 swpb r12
|
|
45f4: 0bdc bis r12, r11
|
|
45f6: 1fb3 bit #0x1, r15
|
|
45f8: 0624 jz #0x4606 <memset+0x3e>
|
|
45fa: 3d53 add #-0x1, r13
|
|
45fc: cf4e 0000 mov.b r14, 0x0(r15)
|
|
4600: 094f mov r15, r9
|
|
4602: 1953 inc r9
|
|
4604: 013c jmp #0x4608 <memset+0x40>
|
|
4606: 094f mov r15, r9
|
|
4608: 0c4d mov r13, r12
|
|
460a: 12c3 clrc
|
|
460c: 0c10 rrc r12
|
|
460e: 0a49 mov r9, r10
|
|
4610: 084c mov r12, r8
|
|
4612: 8a4b 0000 mov r11, 0x0(r10)
|
|
4616: 2a53 incd r10
|
|
4618: 3853 add #-0x1, r8
|
|
461a: fb23 jnz #0x4612 <memset+0x4a>
|
|
461c: 0c5c add r12, r12
|
|
461e: 0c59 add r9, r12
|
|
4620: 1df3 and #0x1, r13
|
|
4622: 0224 jz #0x4628 <memset+0x60>
|
|
4624: cc4e 0000 mov.b r14, 0x0(r12)
|
|
4628: 3841 pop r8
|
|
462a: 3941 pop r9
|
|
462c: 3a41 pop r10
|
|
462e: 3b41 pop r11
|
|
4630: 3041 ret
|
|
4632 <_unexpected_>
|
|
4632: 0013 reti pc
|
|
4634 <__data_start+0x2234>
|
|
4634 .strings:
|
|
4634: "Welcome to the test program loader."
|
|
4658: "Enabling hardened mode"
|
|
466f: "Verifying 0x7f interrupt disabled"
|
|
4691: "0x7f interrupt disabled, key stored in internal SRAM"
|
|
46c6: "unlock by providing the 16 byte key to 0x41 interrupt"
|
|
46fc: "Internal SRAM Hash:"
|
|
4710: "0123456789ABCDEF"
|
|
4722: "Please enter debug payload."
|
|
473e: "Invalid payload length"
|
|
4755: "Executing debug payload"
|
|
|
|
Prereqs: "Vancouver"
|
|
Name: "Halifax"
|
|
Text:
|
|
Lockitall LOCKIT 2 r A.01
|
|
______________________________________________________________________
|
|
|
|
User Manual: Lockitall LockIT 2, rev a.01
|
|
______________________________________________________________________
|
|
|
|
|
|
OVERVIEW
|
|
|
|
- This new lock adds a hardened mode and disables the 0x7f
|
|
interrupt.
|
|
|
|
|
|
DETAILS
|
|
|
|
An example in-field debug payload follows. Any payload is
|
|
allowed, because the unlock key must be passed to the new
|
|
interrupt with code 0x41, and this key is only stored in
|
|
secure memory.
|
|
|
|
8000023041
|
|
|
|
This is Hardware Version 4.
|
|
|
|
This is Software Revision 2.
|
|
|
|
|
|
|
|
(c) 2022 LOCKITALL Page 1/1
|
|
|
|
X:181
|
|
Y:288
|
|
Rating:20
|
|
Patch:""
|